The Court of Appeal recently handed down judgment in the case of Farley (formerly CR) v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117

The Facts

The facts in Farley can be succinctly put. Over 400 current and former officers of the Sussex Police Force sought damages for breach of the GDPR and Data Protection Act 2018 and/or misuse of private information. While the breaches occurred in 2019 before IP completion day (the end of the Brexit transition period), it is suggested the principles decided in Farley will have equal application to claims arising from breach of the UK GDPR. 

The Defendant sent details of pension scheme statements (“the ABS”) to former, but at the time of posting out-of-date, addresses of the Claimants. This error was identified and the Claimants were notified within three months of posting. From an unopened letter, all that could have been seen (through the window of the envelope) was the name of the addressee together with the out-of-date address and (printed on the outside of the envelope) the words “Private and Confidential”.  

The Court Below

The High Court found:

  • At [143]: to have a viable claim for misuse of private information and/or breach of the data protection act, each Claimant must show that they have a real prospect of demonstrating that the ABS was opened and read by a third party. Without that, an essential element of the tort of misuse of private information, i.e. “misuse”, would be missing.
  • At [145]: the Claimants cannot advance a claim on the basis that, until returned, their personal information/data was “in danger” or “at risk”. The general law of tort does not generally allow recovery for the apprehension that a tort might have been committed. A near miss, even if it causes significant distress, is not sufficient. 
  • And, finally, at [146]: if the ABS has not been opened or read by a third party, there has been no real processing for the purposes of the Data Protection Act 2018.

Nicklin J therefore struck out all but the 14 Claimants who could positively assert that the ABSs were opened pursuant to CPR 3.4(2)(a). 

In quite the opposite fashion, Nicklin J found it unnecessary and undesirable to reach a concluded view on whether UK law imposes a threshold of seriousness in Data Protection Act 2018 claims. 

The Court of Appeal

The key findings of the Court of Appeal are as follows:

  • Proof that the data were disclosed is not an essential ingredient of processing or infringement. The term “processing” extends beyond whether the letters were opened to the steps taken in collating data and generating the letters. 
  • An allegation of “distress” is not an essential ingredient of a tenable claim. The term “non-material damage” (in Article 82) is given a wide meaning. Compensation is not, however, available in respect of “all emotional responses to an infringement”. 
  • No threshold of seriousness exists for claims arising under the GDPR so long as the Claimant can prove “non-material damage”. 
  • In claims based on a fear of personal data being misused by third-parties the claims must be “well-founded” in order to qualify as non-material damage. The test is an objective one of reasonableness based on the facts and matters that were or should have been known to the Claimant at the material time they experienced the stated fear. 
  • A person can hold well-founded fears about future harm even if no such harm in fact results.

As for the Jameel abuse of process argument advanced by the Respondent:

  • It is not a question of simply weighing the value of the claim against the cost of the proceedings. In Jameel, the game was not worth the candle because the action could not achieve, to any significant extent, the legitimate objective of protecting the Claimant’s reputation. 
  • An individual claim is either abusive or it is not; it cannot amount to an abuse of process merely because it is linked with or brought in conjunction with one or more other claims, even if those other claims have features of abuse.

This decision contains a lot to which practitioners ought to be alert:

  • A threshold of seriousness still exists in the law of misuse of private information. 
  • In cases based on a fear of misuse of data, pleadings must state a specific and reasonable basis for fearing that the data would be accessed by someone and its contents read. They must go further and also set out particular circumstances amounting to a reasonable basis for fearing that the information might be misused.
  • If the fears are not well-founded, the claim for compensation will fail in its entirety.

A Claimant who asserts and proves harm that does fall within the concept of “non-material damage” does not need to go further and show that the damage reaches a certain level of gravity before compensation may be awarded in claims under the GDPR.

Download this page
Back to Top